Internet-connected sensors and software are helping utilities better manage loads, but they also create new vulnerabilities.

Growing exposure to smart-grid-related cybersecurity risks is forcing state regulators to play a bigger role in preparing utilities for potential threats.

The nation’s increasingly networked electric grid is helping utilities to more efficiently manage loads, including from variable renewables. As data-collecting, internet-connected meters and sensors become ubiquitous, though, they’re also creating new vulnerabilities: countless entry points to be exploited by hackers.

The Illinois Commerce Commission opened its Office of Cybersecurity and Risk Management two years ago. It remains a unique example of how utility commissions are approaching cybersecurity.

In late 2017 and 2018, the office brought electric, telecommunications, gas and water utility officials together into one room to practice responding to a fictional, but realistic, emergency. The tabletop exercises are part of the office’s larger goal of facilitating cross-sector collaboration so utilities can learn from each other.

“There are some big utilities in Illinois, and we got them together,” said Dominic Saebeler, the ICC’s director of cybersecurity and risk management. Utilities practice emergency protocols on their own, he said, but the goal of the exercises was to get them all in the same space, dealing with specific obstacles. For example, Saebeler said, “How would you respond to a weather event that also has a cyber part to it?” He was hesitant to give exact details to avoid tipping off hackers to potential risks, he said.

Planning for the first exercise, held in December 2017, began the summer before, when Saebeler and colleagues discussed the possibility of hosting the event with Illinois’ utilities. Once he knew utilities were receptive, he took the next three months to develop a Monopoly-like game board depicting a fictitious Illinois city resembling the service territory of any of the state’s utilities. To decide on the emergency scenarios, he used subject matter experts from the utilities, who told him whether specific situations were realistic.

He also approached emergency management officials — for example, the Illinois Emergency Management Agency, first responders and hospital officials — to gather feedback about what they’d ask of utilities in potential cyber-related emergencies. When Saebeler began planning for the second exercise, held this past December, he used the same game board with minor tweaks and new scenarios.

Throughout the exercises, he said, the focus was on communication: how utilities communicate within their companies and with each other. They all have their individual plans, he said; this allowed them to run through those plans at the same time.

He listed three main takeaways. First of all, he said the exercises reinforced how important it is for utilities to be vigilant and take base-level tactical actions to avoid creating unnecessary cyber risks. Secondly, he said, they emphasized the human aspect of cybersecurity. Human behavior can be a weak point in an organization: An employee accidentally clicks on a harmful email link or gets tricked into connecting a destructive thumb drive to a computer. “You want to be vigilant in keeping your team from veering off-course of what good, secure behavior is,” Saebeler said.

Finally, it’s vital for utilities to be prepared for sudden changes in the tools they have available. Phones might be down in an emergency, or bad weather might prevent access to important sites, and responders will have to work around those obstacles, Saebeler said.

None of these challenges are surprising, he noted. But drilling responses — and seeing how other utilities responded — offered opportunities for companies to streamline their approaches.

This sort of cross-sector collaboration is an evolving practice, he said. “I’m not going to say that we’re the first ones who’ve ever done that, but it’s probably a newer thing.” Saebeler added that all of these utilities rely on each other in some way, and they all use each other’s services to provide their own services. “So in a crisis situation, they need to be working with each other.”

The vulnerabilities

In late 2015, hackers targeted Ukraine’s power grid, resulting in the loss of power for 225,000 customers for several hours. It was the first major driver of utility investment in cybersecurity measures, said Michael Kelly, a research analyst at Navigant.

“I would not be surprised in the slightest if we see another large-scale attack” that “makes everybody’s ears perk up” and prompts hyper growth in the cybersecurity market, he said. But even without that, he anticipates greater utility spending on cybersecurity measures in the coming years.

The surface area available for attackers to hack is exponentially larger now than it was a few years ago, he said. He wrote a 2017 report predicting that global revenue for smart grid cybersecurity will grow from approximately $1.8 billion in 2017 to almost $3.2 billion in 2026. Utilities are making a number of investments in security, he said — for example, antivirus and firewall software — to accompany new smart meters and other internet-connected grid equipment.

“The number of endpoints has been expanded,” Kelly said. “The types of sensors have been expanded.”

“You’ve never really needed some of these IT systems to deal with this before,” he added. Devices like smart meters produce so much data that utilities need new management systems to handle it. They often contract with outside developers like Oracle and Microsoft to get these systems, which come with strong security protections — but utilities also have to be equipped to use the software.

Utilities often lack sufficient IT staff to manage new operating systems, Kelly said. “Not many young IT talent are going to work for utilities,” so companies have the additional challenge of ramping up their expert resources.

Then there’s the challenge of ensuring proper user permissions, so that only the necessary staff have access to sensitive information. Companies are “needing to learn themselves how they can effectively secure their operations with this new technology and make it a holistic security strategy,” Kelly said. Many utilities are bringing on chief security officers.

Aside from the North American Electric Reliability Corporation’s critical infrastructure protection (or CIP) standards, few legislative standards exist in the U.S. to govern cybersecurity preparedness, Kelly said. And even so, he said, those are only minimum standards: Utilities should employ protections beyond just what they’re required.

In Illinois, both ComEd and Ameren emphasize on their websites the importance of security in protecting consumer data. And as Kelly pointed out, no utility executive or software developer wants to be on the front page of The New York Times because their equipment was hacked.

“Ameren takes cybersecurity threats to our nation and our industry very seriously,” an Ameren spokesperson wrote in an email. The company conducts “regular training and education programs for employees to help them detect cybersecurity threats and understand actions needed to help protect Ameren and the personal information of our customers.”

The PUC-utility relationship

In the two years since the Office of Cybersecurity and Risk Management was established, Saebeler’s department has grown from just him to him and one other team member — which he pointed out is still more than many states. Although it has become clear that utility commissions can play a role in cybersecurity, those roles are still developing.

“When we first started, we weren’t fully clear on what we should be focusing on and where the greatest need is,” Saebeler said. The large investor-owned utilities seem to have robust protections in place, he said, leaving his team to figure out what they could add. The most useful role now seems to be for the office to act as a central source of information, interacting with academics and national laboratory programs about new findings, and relaying information back to the utilities.

Through events like the tabletop exercises, Saebeler said the office can help spur utility collaboration.

“Over the last five years, the role of states in cybersecurity has become much clearer,” said Lynn Costantini, deputy director of the Center for Partnerships and Innovation at the National Association of Regulatory Utility Commissioners (NARUC). Commissioners are often viewed primarily as arbiters of cost-effective business practices, she said, but cybersecurity fits into the other public service aspects of their missions. It’s important for regulators to understand the threats utilities face and communicate with them to learn how they protect themselves, she said.

An October strategy guide published by NARUC aims to help commissions determine their own objectives with regard to cybersecurity, which can then help them determine how involved they should be in utility activities and how they can be of service.

Costantini said states may end up regulating the information they require utilities to provide about cybersecurity preparedness. But whether cybersecurity communication is regulated, it’s important that it’s happening, she said.

Utilities have been receptive to greater commission involvement, Costantini added: “Those conversations are proving very fruitful both for the commissions and the utilities.”

Correction: Lynn Costantini is the deputy director of the Center for Partnerships and Innovation at the National Association of Regulatory Utility Commissioners. A previous version of this article misstated her title.